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METHOD FOR AUTHENTICATING SETTLEMENT TERMINAL AND 
SETTLEMENT METHOD USING THE SAME 

Technical Field 

The present invention relates to a method for authenticating a settlement 
5 terminal, and more particularly to a settlement terminal authentication method and a 
settlement method using the same, wherein settlement for a transaction can be 
prevented from being illegally conducted due to an information leakage occurring 
during transmission and reception of information for the transaction settlement through 
the use of a settlement terminal such as a credit card reader. 

1 0 Background Art 

Recently, with the ongoing industrialization and the advent of credit society, 
payment systems have been rapidly spread from a direct type where currency is paid 
directly for commodity purchasing or service use to an indirect type where money is paid 
through the use of a credit card, etc. for the commodity purchasing or service use. The 

15 indirect payment systems provide transparent transaction particulars enabling the 
prevention of problems such as tax evasion and so forth. In this regard, it is the current 
reality that the indirect payment systems are nationally widely encouraged. 

In a conventional credit card-based settlement method, when a user purchases a 
commodity from a credit card-affiliated store or uses a service therefrom, a credit card 

20 reading terminal reads user information stored in a credit card of the user and sends the 
read information to a credit card company together with transaction records. Thereafter, 
the credit card company approves the transaction on the basis of the sent user 
information. 

However, the above-mentioned conventional credit card-based settlement 
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method has an unsolved problem in that another person may make a fraudulent use of the 
user's credit card. Although the fraudulent use of the credit card mostly results from a 
loss or theft of the card, it may be sometimes caused due to a leakage of information 
being transmitted and received between the credit card reading terminal and the credit 
5 card company. For this reason, there is a need for user authentication to prevent the 
credit card from being illegally used by another person. Further, in order to prevent the 
credit card from being illegally used due to the information leakage, a settlement terminal 
must be authenticated for transaction settlement on the basis of encrypted data. 

Disclosure of the Invention 

10 Therefore, the present invention has been made in view of the above problems, 

and it is an object of the present invention to provide a method for authenticating a 
settlement terminal, wherein settlement for a transaction can be prevented from being 
illegally conducted due to an information leakage occurring during transmission and 
reception of information for the transaction settlement through the use of the settlement 

15 terminal. 

It is another object of the present invention to provide a settlement method 
wherein a settlement terminal is authenticated for transaction settlement on the basis of 
a dually encrypted terminal certificate, thereby providing more reliable security of 
information. 

20 In accordance with one aspect of the present invention, the above and other 

objects can be accomplished by the provision of a method for authenticating a 
settlement terminal connected to a settlement server over a network, comprising the 
steps of a) entering initial terminal information to the settlement server through the 
terminal and receiving a terminal ID and one-time password created by the settlement 

25 server; b) gaining access to the settlement server through the terminal and sending the 
terminal ID and one-time password and a MAC (Media Access Control) address to the 
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settlement server; c) determining on the basis of the sent terminal ID, one-time 
password and MAC address that the terminal is an authorized one and then storing the 
terminal ID, one-time password and MAC address in the settlement server; d) creating a 
terminal certificate for an SSL (Secure Socket Layer) protocol encrypted in an RSA 
5 (Rivest-Shamir-Adleman) manner on the basis of the terminal information and MAC 
address and storing the created terminal certificate in an LDAP (Light Weight Directory 
Access Protocol) server; and e) sending the terminal information and terminal certificate, 
and a server certificate and SEED key created by a certificate authority to the terminal. 

Preferably, the above step a) may include the steps of a-1) connecting the 

10 terminal to the settlement server over the network; a-2) entering a user ID and password 
for user identification; a-3) sending the terminal information to the settlement server 
through the terminal if a user is an authorized one; a-4) storing the sent terminal 
information and creating the terminal ID and one-time password on the basis of the 
stored terminal information; and a-5) storing the created terminal ID and one-time 

15 password and sending the stored terminal ID and one-time password and the MAC 
address to the terminal. 

In accordance with another aspect of the present invention, there is provided a 
settlement method based on authentication of a settlement terminal, comprising the 
steps of a) for settlement for a transaction, sending settlement information and a 

20 terminal certificate, encrypted on the basis of a SEED key, from the terminal to a 
settlement server according to an SSL (Secure Socket Layer) protocol over a network; b) 
extracting a terminal certificate and terminal information stored in an LDAP (Light 
Weight Directory Access Protocol) server; c) comparing a MAC (Media Access Control) 
address contained in the terminal certificate sent from the terminal with that contained in 

25 an information packet and, if the two MAC addresses are the same, determining that the 
terminal certificate sent from the terminal is valid; d) comparing the terminal certificate 
sent from the terminal with the terminal certificate extracted from the LDAP server and 
authenticating the terminal if the two terminal certificates are the same; and e) 
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approving the transaction on the basis of the settlement information and then sending 
approval information to the terminal. 

Brief Description of the Drawings 



The above and other objects, features and other advantages of the present 
5 invention will be more clearly understood from the following detailed description taken 
in conjunction with the accompanying drawings, in which: 

Fig. 1 is a block diagram schematically showing a connection between a 
settlement terminal and a terminal authentication server over a network; 

Fig. 2 is a block diagram illustrating a signal flow of an initial terminal 
10 information registration procedure of a settlement terminal authentication method in 
accordance with the present invention; 

Fig. 3 is a flow chart illustrating the initial terminal information registration 
procedure of the settlement terminal authentication method in accordance with the 
present invention; 

15 Fig. 4 is a block diagram illustrating a signal flow of a terminal authentication 

procedure of the settlement terminal authentication method in accordance with the 
present invention; 

Fig. 5 is a flow chart illustrating the terminal authentication procedure of the 
settlement terminal authentication method in accordance with the present invention; 
20 and 

Fig. 6 is a flow chart illustrating a settlement method in accordance with the 
present invention. 

Best Mode for Carrying Out the Invention 



In the present invention, a settlement terminal is authenticated on the basis of 



WO 03/001 736 PCT/K R02/00288 

5 

encrypted data. The settlement terminal is a general credit card settlement terminal. 
This credit card settlement terminal is generally connected to a settlement server or 
financial institution via a dedicated line. In this regard, a specific dedicated line is 
required in a place where the settlement terminal is installed. In this invention, the 
5 settlement terminal must be registered and authenticated because it is connected to a very 
high speed Internet network (under a TCP/IP environment), such as an ISDN or ADSL. 
Over the Internet, the position and information of the terminal have to be verified for 
each settlement. As a result, the authentication is required each time a settlement is 
conducted. 

10 Note that security of information is an essential factor to an open environment 

such as the Internet. In this connection, in the present invention, information is 
encrypted and transmitted and received for terminal authentication required for 
settlement. To this end, in the invention, modified SSL (Secure Socket Layer) 
communication is performed to exchange certificates between a server and a terminal on 

15 the basis of an asymmetric algorithm-based encryption. Further, the terminal encrypts 
information through the use of a symmetric algorithm-based SEED key and sends the 
encrypted information to the server. Although DES, 3DES and IDEA are generally 
used for symmetric encryption in a standard SSL, the present invention employs a 
modified SSL using SEED. 

20 In addition, according to the present invention, a terminal authentication server 

creates a one-time password in an initial terminal information registration procedure such 
that the password is used for terminal authentication. 

Now, a preferred embodiment of a settlement terminal authentication method 
according to the present invention will be described in detail in conjunction with the 

25 accompanying drawings. 

With reference to Fig. 1, there are conceptually shown in block form 
connections from a settlement-dedicated terminal 3 to a terminal authentication server 5 
and a settlement server 8 over a network 1 . 
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As shown in Fig. 1, the settlement-dedicated terminal 3 is connected to the 
terminal authentication server 5 and settlement server 8 over the network 1, which may 
be a TCP/IP-based very high speed communication network (for example, an ADSL 
network). The terminal authentication server 5 is connected to an LDAP server 7, and 
5 the settlement server 8 is connected to a financial settlement server 9 and a financial 
institution 11. Although the terminal authentication server 5, LDAP server 7 and 
settlement server 8 are shown in Fig. 1 to be individual servers, they may be substantially 
included in one server, or a Web server of a settlement service provider. 

The dedicated terminal 3, which is driven by a general or exclusive Web 
1 0 browser or an exclusive operating system, stores a SEED key provided from a certificate 
authority and encrypts information to be sent, using the stored SEED key. The terminal 
3 is also adapted to exchange certificates with the terminal authentication server 5 
according to a modified SSL protocol. 

As stated previously, information read by the dedicated terminal 3 is dually 
15 encrypted through the SSL and SEED key (i.e., encrypted according to the symmetric 
algorithm and asymmetric algorithm) and then sent to the terminal authentication server 
5 over the network 1. The LDAP (Light Weight Directory Access Protocol) server 7 
acts to store terminal information and a server certificate authenticated by the certificate 
authority and provide the stored certificate and terminal information to the terminal 
20 authentication server 5 when the terminal 3 is required to be authenticated. 

A description will hereinafter be given of an initial terminal information 
registration procedure in accordance with the present invention with reference to Fig. 2 
which is a block diagram illustrating a signal flow of the initial terminal information 
registration procedure, and Fig. 3 which is a flow chart illustrating in detail the initial 
25 terminal information registration procedure. 

For terminal registration, first, a manager dispatched from a terminal 
manufacturing company gains access to the terminal authentication server 5 through the 
terminal (S101) and enters an ID and password thereto (SI 02). The terminal 
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authentication server 5 receives the ID and password entered by the manager and 
compares them with those stored in a. database 13 to determine whether the manager is an 
authorized one (S103). If the manager is an authorized one, the terminal authentication 
server 5 permits the manager to enter and send terminal information to the server 5 
5 through the terminal 3 (SI 04). Thereafter, the terminal authentication server 5 receives 
the terminal information sent from the manager and stores it in the database 1 3 (SI 05). 
, Subsequently, the terminal authentication server 5 creates a one-time password 

in an existing 'challenge/response' manner or 'time synchronous' manner, which is well 
known in the art. The server 5 also creates a terminal ID (SI 06). The server 5 stores 

10 the created one-time password and terminal ID and a MAC (Media Access Control) 
address in the database 13 at the same time as sending them to the terminal 3 (SI 07). 

Through the above-described procedure, the terminal information is stored and 
registered in the database of the terminal authentication server, and the dedicated 
terminal is provided with the terminal ID, one-time password and MAC address for 

15 terminal authentication from the terminal authentication server. 

As stated above, the terminal authentication server 5 registers the terminal 
information, sent from the manager through the terminal, creates the terminal ID and 
one-time password and sends them back to the terminal. The terminal stores the 
terminal ID and one-time password sent from the terminal authentication server 5. 

20 Thereafter, for terminal authentication, the terminal gains access to the server 5 using the 
terminal ID and one-time password, and is then authenticated by the server 5. 

The terminal authentication server 5 is preferably a Web server that verifies user 
information and transaction information, applied from the terminal 3 for transaction 
settlement, and transfers settlement information to the settlement server as a result of the 

25 verification to allow the settlement server to approve the transaction. That is, the 
terminal authentication server 5 authenticates a specific terminal existing on the Internet 
when settlement for a transaction is required, so that the transaction settlement can be 
conducted. 
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Next, a description will be given of a terminal authentication procedure in 
accordance with the present invention with reference to Fig. 4 which is a block diagram 
illustrating a signal flow of the terminal authentication procedure, and Fig. 5 which is a 
flow chart illustrating in detail the terminal authentication procedure. 
5 For terminal authentication, first, the terminal 3 gains access to the terminal 

authentication server 5 (S201) and sends to the server 5 the terminal ID, one-time 
password and MAC address assigned upon the terminal registration (S202). The 
terminal authentication server 5 checks the terminal ID, one-time password and MAC 
address sent from the terminal to determine whether the terminal is an authorized one 
10 (S203). In the case where the terminal is an authorized one, the terminal 
authentication server 5 stores the sent terminal ID and MAC address in the database 13 
(S204). 

Thereafter, the terminal authentication server 5 creates a terminal certificate on 
the basis of the terminal information and MAC address (S205), and transfers the 
1 5 created terminal certificate to the LDAP server 7 to store it therein (S206). 

It should be noted herein that the terminal certificate is created in an 
asymmetric algorithm-based RSA (Rivest-Shamir-Adleman) manner because the 
modified SSL communication can be performed between the terminal 3 and the 
terminal authentication server 5. 

20 

On the other hand, if the terminal authentication server 5 requests a server 
certificate from a certificate authority 4 for authentication thereof, then the certificate 
authority 4 creates the server certificate in response to the request from the server 5 and 
provides it to the server 5 (S207). 
25 Thereafter, the terminal authentication server 5 sends the terminal certificate, 

server certificate, terminal information and SEED key to the terminal 3 (S208). 

As stated above, according to the present invention, the terminal 3 receives the 
one-time password, created upon its registration, from the terminal authentication 
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server 5, accesses the server 5 on the basis of the received password and receives the 
created terminal certificate and server certificate from the server 5 again. At this time, 
the terminal 3 also receives the symmetric algorithm-based SEED key to be used for 
the SSL communication and encrypts information to be sent, using the received SEED 
5 key. 

In the present embodiment, the terminal 3 is a general credit card reading 
terminal, preferably a settlement-dedicated terminal equipped with an exclusive Web 
browser (or exclusive operating system software). 

The terminal certificate, terminal information and SEED key, provided upon 
10 the initial authentication of the terminal 3, are used for terminal authentication and 
encryption of information to be sent, when transaction settlement is actually conducted. 
Fig. 6 illustrates a settlement method according to the present invention, wherein 
transaction settlement is conducted on the basis of terminal authentication. 

As shown in Fig. 6, if a user purchases a commodity or uses a service and then 
15 presents his/her credit card to settle his/her account for the commodity purchasing price 
or service usage fee (S301), the credit card reading terminal 3 encrypts the settlement 
information and terminal certificate with the SEED key and sends the encrypted 
settlement information and terminal certificate to the terminal authentication server 5 
(S302). At this time, the settlement information includes the terminal information, 
20 information contained in the credit card, transaction records and so forth. 

Notably, the terminal certificate is created according to the SSL protocol 
(namely, the RSA manner)-based asymmetric algorithm and then encrypted through the 
use of the symmetric algorithm-based SEED key. In other words, the terminal 
certificate is dually encrypted according to the symmetric/asymmetric algorithms, 
25 thereby ensuring more reliable security of information. 

Thereafter, the terminal authentication server 5 requests the LDAP server 7 to 
transfer the terminal certificate stored therein (S303). The terminal authentication 
server 5 compares the MAC address contained in the terminal certificate sent from the 
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terminal 3 with that contained in an information packet to determine whether they are 
the same. In the case where the two MAC addresses are determined to be the same, 
the terminal authentication server 5 recognizes that the terminal certificate sent from 
the terminal 3 is valid. Subsequently, the terminal authentication server 5 compares 
5 the terminal certificate sent from the terminal 3 with that transferred from the LDAP 
server 7 to determine whether they are the same. If the two terminal certificates are 
determined to be the same, then the server 5 authenticates the terminal 3 (S304). 

After authenticating the terminal 3, the terminal authentication server 5 
transfers the settlement information to the settlement server 8 to request it to approve 

10 the transaction (S305). Upon receiving the settlement information (containing, for 
example, user information, a user ID, a password and transaction records) transferred 
from the terminal authentication server 5, the settlement server 8 compares the received 
settlement information with information stored in its database to determine whether the 
user is a valid one. If the user is determined to be a valid one, then the settlement 

15 server 8 approves the transaction (S3 06) and sends approval information to the 
settlement terminal (S307). 

Industrial Applicability 

As apparent from the above description, according to the present invention, 
terminal authentication is carried out through the use of a one-time password that is 

20 assigned to a terminal upon initial terminal information registration. As a result of the 
authentication, the terminal is provided with a terminal certificate encrypted according 
to an asymmetric algorithm. Thereafter, when settlement for a transaction is actually 
conducted, the terminal certificate and settlement information are encrypted on the 
basis of a symmetric algorithm, thereby obtaining a more reliable security effect. 

25 Although the preferred embodiments of the present invention have been 

disclosed for illustrative purposes, those skilled in the art will appreciate that various 
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modifications, additions and substitutions are possible, without departing from the 
scope and spirit of the invention as disclosed in the accompanying claims. 
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Claims: 

1 . A method for authenticating a settlement terminal connected to a settlement 
server over a network, comprising the steps of: 

a) entering initial terminal information to said settlement server through said 
5 terminal and receiving a terminal ID and one-time password created by said settlement 

server; 

b) gaining access to said settlement server through said terminal and sending 
said terminal ID and one-time password and a MAC (Media Access Control) address to 
said settlement server; 

10 c) determining on the basis of the sent terminal ID, one-time password and 

MAC address that said terminal is an authorized one and then storing said terminal ID, 
one-time password and MAC address in said settlement server; 

d) creating a terminal certificate for an SSL (Secure Socket Layer) protocol 
encrypted in an RSA (Rivest-Shamir-Adleman) manner on the basis of said terminal 

15 information and MAC address and storing the created terminal certificate in an LDAP 
(Light Weight Directory Access Protocol) server; and 

e) sending said terminal information and terminal certificate, and a server 
certificate and SEED key created by a certificate authority to said terminal. 

2. The method as set forth in claim 1, wherein said settlement server includes a 
20 terminal authentication server. 

3. The method as set forth in claim 1, wherein said step a) includes the steps 

of: 



25 



a-1) connecting said terminal to said settlement server over said network; 

a-2) entering a user ID and password for user identification; 

a-3) sending said terminal information to said settlement server through said 
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terminal if a user is an authorized one; 

a-4) storing the sent terminal information and creating said terminal ID and 
one-time password on the basis of the stored terminal information; and 

a-5) storing the created terminal ID and one-time password and sending the 
5 stored terminal ID and one-time password and said MAC address to said terminal. 

4. The method as set forth in claim 3, wherein the connection of said terminal 
to said settlement server is made by a manager. 

5. The method as set forth in claim 1, wherein said one-time password is 
created in a challenge/response manner or time synchronous manner. 

10 6. The method as set forth in claim 1, wherein said network is a TCP/IP-based 

network. 

7. A settlement method based on authentication of a settlement terminal, 
comprising the steps of: 

a) for settlement for a transaction, sending settlement information and a 
15 terminal certificate, encrypted on the basis of a SEED key, from said terminal to a 

settlement server according to an SSL (Secure Socket Layer) protocol over a network; 

b) extracting a terminal certificate and terminal information stored in an LDAP 
(Light Weight Directory Access Protocol) server; 

c) comparing a MAC (Media Access Control) address contained in said terminal 
20 certificate sent from said terminal with that contained in an information packet and, if the 

two MAC addresses are the same, determining that said terminal certificate sent from 
said terminal is valid; 

d) comparing said terminal certificate sent from said terminal with said 
terminal certificate extracted from said LDAP server and authenticating said terminal if 
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the two terminal certificates are the same; and 

e) approving said transaction on the basis of said settlement information and 
then sending approval information to said terminal. 

8. The settlement method as set forth in claim 7, wherein said network is a 
TCP/IP-based network. 

9. A settlement method based on authentication of a settlement terminal, 
comprising the steps of: 

a) entering initial terminal information to a settlement server through said 
terminal and receiving a terminal ID and one-time password created by said settlement 
server; 

b) gaining access to said settlement server through said terminal and sending 
said terminal ID and one-time password and a MAC (Media Access Control) address to 
said settlement server; 

c) determining on the basis of the sent terminal ID, one-time password and 
MAC address that said terminal is an authorized one and then storing said terminal ID, 
one-time password and MAC address in said settlement server; 

d) creating a terminal certificate for an SSL (Secure Socket Layer) protocol 
encrypted in an RSA (Rivest-Shamir-Adleman) manner on the basis of said terminal 
information and MAC address and storing the created terminal certificate in an LDAP 
(Light Weight Directory Access Protocol) server; 

e) sending said terminal information and terminal certificate, and a server 
certificate and SEED key created by a certificate authority to said terminal; 

f) for settlement for a transaction, allowing said terminal to encrypt settlement 
information and said terminal certificate with said SEED key and send the encrypted 
settlement information and terminal certificate to said settlement server; 

g) receiving said terminal certificate and terminal information stored in said 
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LDAP server; 

h) comparing a MAC address contained in said terminal certificate sent from 
said terminal with that contained in an information packet and, if the two MAC addresses 
are the same, determining that said terminal certificate sent from said terminal is valid; 
5 i) comparing said terminal certificate sent from said terminal with said 

terminal certificate received from said LDAP server and authenticating said terminal if 
the two terminal certificates are the same; and 

j) approving said transaction on the basis of said settlement information and 
then sending approval information to said terminal. 
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